CVE-2025-70866: LavaLite CMS 10.1.0 Remote Code Execution (RCE) via Blade Template Injection 1. Vulnerability Overview CVE ID: CVE-2025-70866 Type: Remote Code Execution (RCE) Vendor: LavaLite Product: CMS Version: 10.1.0 Severity: Critical 2. Description A Remote Code Execution (RCE) vulnerability exists in LavaLite CMS version 10.1.0. An authenticated attacker with superuser privileges can inject malicious PHP code into the field when creating or editing a page, provided the option is set to . When the page is viewed, the application processes the content using the helper function, which explicitly calls on the compiled Blade template string. 3. Root Cause Analysis The vulnerability arises from the interaction between and the helper function in . 1. Input Vector: The administrator creates/edits a page at , injecting malicious Blade code into and setting . 2. Trigger Logic (PagePublicController.php): 3. Vulnerable Implementation (helpers.php): The function directly executes the compiled string via . 4. Proof of Concept (PoC) Steps to Reproduce: 1. Log in to the administration panel as a superuser. 2. Navigate to the "Pages" module (/admin/page/page/create). 3. Create a new page with the following details: - Name: Exploit Test - URL: /exploit-test - Compile: Yes / True (Set checkbox or param to 1) - Content: Insert the following payload: 4. Save the page. 5. Access the page via the browser (e.g., http://target-site/exploit-test). 6. Result: The payload executes, creating a webshell at containing . The page will display "hacked: [path_to_shell]". 5. Impact Successful exploitation allows an authenticated attacker (superuser) to execute arbitrary PHP code on the server, potentially leading to full system compromise, data theft, or denial of service. 6. References Affected File: vendor/lavalite/framework/src/Litepie/Foundation/helpers.php Method: blade_compile()